Hi all Recently I needed to install a certificate into the machine wide Trusted Publisher store of Windows. Basically I was forced to do so because I need to install a driver signed with that certificate. If this certificate is not installed to the Trusted Publisher store prior to installing the driver itself, Windows will display a prompt dialog asking whether to install the driver or not. This prompt is not shown if the certificate is present in the Trusted Publisher store at the beginning of the driver installation.
Now of course one can argue that this is not the way it is supposed to be done and I would even partially agree. However, without doing this the installation experience is affected because I install multiple msi using a bootstrapper. In the middle of the installation that prompt dialog will appear. But let us leave aside if this should be done at all for a moment because the issue does not really have to do with this. In order to install that certificate I use "iis:Certificate" with the attribute StoreName="trustedPublisher". This works well. However, as it turns there is a group policy called "Certificate Path Validation Settings" which can prevent users and administrators from installing certificates into the Trusted Publishers store. The group policy is available here: gpedit.msc -> “Local Computer Policy” -> “Computer Configuration” -> “Windows Settings” -> “Security Settings” -> “Public Key Policies” -> “Certificate Path Validation Settings” If the computer is part of a domain it is possible to activate the option "Allow only enterprise administrators to manage Trusted Publishers" in the "Trusted Publishers" tab of that policy. If the policy is active and the installer attempts to install the certificate the installation will fail since only enterprise administrators are allowed to install certificates. The error that I'm getting in such a case is as follows: The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, , AddMachineCertificate: Error 0x80070005: Failed to install certificate. Actually the error itself absolutely makes sense. However, it would be useful if iis:Certificate could handle such a case, i.e. it would be necessary to detect if the group policy is active. What are your thoughts to this? Regards ACKH -- View this message in context: http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Group-Policy-not-taken-into-account-when-installing-certificate-tp7595652.html Sent from the wix-devs mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ WiX-devs mailing list WiX-devs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-devs
